Analysis
-
max time kernel
126s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 22:16
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240704-en
General
-
Target
Client-built.exe
-
Size
3.4MB
-
MD5
ad8250eea17d8d7db7c3c23aba289f5c
-
SHA1
c63d1c6b6e8b7789a777b1ffe55f15bbbfc3cc59
-
SHA256
f3de21ec995555ab187ce0a254d2b353c1ed3c06030678f898ec56efabbae51f
-
SHA512
d34b9db43bd08dea4452925c7c1cf4014d03b024a663b5ee938a4f205b3c6c49eccd169cbc687145d54223d07aafcde75ee0807963e705c9c71e130c00086abd
-
SSDEEP
49152:tei8dGFjxJFp/DGoye3Z4LVXcBzJQI2zoTHHB72eh2NTfbDW:teCFjxJTbGor3Z4LVSeDH
Malware Config
Extracted
quasar
1.4.1
SKIDS
147.185.221.22:10340
9b51d4f5-bfe4-4a06-ba47-dcfbf9fe8529
-
encryption_key
AEAE9E349BB922A243A5FF22FF4A80613533B71B
-
install_name
Windows Host Process.exe
-
log_directory
Windows-Logs
-
reconnect_delay
3000
-
startup_key
Windows Host Process
-
subdirectory
Windows
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2564-1-0x0000000000280000-0x00000000005E0000-memory.dmp family_quasar behavioral1/files/0x0008000000016d2a-6.dat family_quasar behavioral1/memory/2920-10-0x0000000000850000-0x0000000000BB0000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2920 Windows Host Process.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\system32\Windows\Windows Host Process.exe Client-built.exe File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe Client-built.exe File opened for modification C:\Windows\system32\Windows Client-built.exe File opened for modification C:\Windows\system32\Windows\Windows Host Process.exe Windows Host Process.exe File opened for modification C:\Windows\system32\Windows Windows Host Process.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2688 schtasks.exe 2816 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2564 Client-built.exe Token: SeDebugPrivilege 2920 Windows Host Process.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2920 Windows Host Process.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2816 2564 Client-built.exe 30 PID 2564 wrote to memory of 2816 2564 Client-built.exe 30 PID 2564 wrote to memory of 2816 2564 Client-built.exe 30 PID 2564 wrote to memory of 2920 2564 Client-built.exe 32 PID 2564 wrote to memory of 2920 2564 Client-built.exe 32 PID 2564 wrote to memory of 2920 2564 Client-built.exe 32 PID 2920 wrote to memory of 2688 2920 Windows Host Process.exe 33 PID 2920 wrote to memory of 2688 2920 Windows Host Process.exe 33 PID 2920 wrote to memory of 2688 2920 Windows Host Process.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\Windows\Windows Host Process.exe"C:\Windows\system32\Windows\Windows Host Process.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5ad8250eea17d8d7db7c3c23aba289f5c
SHA1c63d1c6b6e8b7789a777b1ffe55f15bbbfc3cc59
SHA256f3de21ec995555ab187ce0a254d2b353c1ed3c06030678f898ec56efabbae51f
SHA512d34b9db43bd08dea4452925c7c1cf4014d03b024a663b5ee938a4f205b3c6c49eccd169cbc687145d54223d07aafcde75ee0807963e705c9c71e130c00086abd